The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ps x process

Discussion in 'General Discussion' started by lefteris, Feb 7, 2008.

  1. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Dear All,
    Into my server i found 3-4 process with name ps x and it call PERL[defuct]
    can you please tell me what is this?

    Please can you give me some find (-switch) to search into my server for trojan.

    I have install chkroot and it not find anything.

    thank's
    lefteris
     
  2. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Such a switch does not exist. To track the perl processes, run 'lsof -p <pid> |more' and see where it's executing from, which is usually indicated in the first or second line of the output. If you don't recognize the location or its running from /tmp or /dev/shm, it's probably a hack process. Honestly it's normal for these to pop up on servers once in a while, usually caused by a vulnerable web application, but if it's running as root then be prepared to wipe your box down.
     
  3. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    hi again
    thank's for your answer

    i run the query and here is the result.

    COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
    perl 16023 nobody cwd DIR 8,5 4096 2 /
    perl 16023 nobody rtd DIR 8,5 4096 2 /
    perl 16023 nobody txt REG 8,3 1004382 1115085 /usr/bin/perl
    perl 16023 nobody mem REG 8,5 46680 131112 /lib/libnss_files-2.5.so
    perl 16023 nobody mem REG 8,5 125736 131286 /lib/ld-2.5.so
    perl 16023 nobody mem REG 8,5 1589908 131288 /lib/libc-2.5.so
    perl 16023 nobody mem REG 8,5 16428 132689 /lib/libdl-2.5.so
    perl 16023 nobody mem REG 8,5 208352 132692 /lib/libm-2.5.so
    perl 16023 nobody mem REG 8,5 27736 132695 /lib/libcrypt-2.5.so
    perl 16023 nobody mem REG 8,5 101404 132694 /lib/libnsl-2.5.so
    perl 16023 nobody mem REG 8,3 16278 1245551 /usr/lib/perl5/5.8.8/i686-linux/auto/IO/IO.so
    perl 16023 nobody mem REG 8,5 76400 132693 /lib/libresolv-2.5.so
    perl 16023 nobody mem REG 8,5 21788 131110 /lib/libnss_dns-2.5.so
    perl 16023 nobody mem REG 8,3 22792 1245450 /usr/lib/perl5/5.8.8/i686-linux/auto/Socket/Socket.so
    perl 16023 nobody mem REG 8,5 15164 132696 /lib/libutil-2.5.so
    perl 16023 nobody mem REG 8,3 56405424 1018184 /usr/lib/locale/locale-archive
    perl 16023 nobody 0r CHR 1,3 1359 /dev/null
    perl 16023 nobody 1w FIFO 0,6 3504727594 pipe
    perl 16023 nobody 2w REG 8,3 3457114 1640504 /usr/local/apache/logs/error_log~ (deleted)


    I try to find something but nothing.
    in the netstat i see IRC connection , so i believe it;s a bot.
    but how can i kill and remove it?
     
  4. vanessa

    vanessa Well-Known Member
    PartnerNOC

    Joined:
    Sep 26, 2006
    Messages:
    817
    Likes Received:
    22
    Trophy Points:
    18
    Location:
    Virginia Beach, VA
    cPanel Access Level:
    DataCenter Provider
    Take the PID, which in your case is 16023 and kill it:


    kill -9 16023
     
  5. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    i do it but in anytime the file is running again

    i cannot find the file
     
  6. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    The same problem again

    I kill the proccess but it's running again after 2-3 hours
     
  7. lefteris

    lefteris Member

    Joined:
    Nov 5, 2005
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    please can you explain to me?

    [10:26:10] Warning: The command '/usr/bin/GET' has been replaced by a script: /usr/bin/GET: perl script text executable
    [10:26:10] /usr/bin/groups [ Warning ]
    [10:26:10] Warning: The command '/usr/bin/groups' has been replaced by a script: /usr/bin/groups: Bourne shell script text executable
    [10:26:12] /usr/bin/perl [ Warning ]
    [10:26:12] Warning: Write permission is set on file '/usr/bin/perl' for all users.
    [10:26:14] /usr/bin/wget [ Warning ]
    [10:26:14] Warning: Write permission is set on file '/usr/bin/wget' for all users.
    [10:26:15] /usr/bin/whatis [ Warning ]
    [10:26:15] Warning: The command '/usr/bin/whatis' has been replaced by a script: /usr/bin/whatis: Bourne shell script text executable
    [10:26:16] /sbin/ifup [ Warning ]
    [10:26:16] Warning: The command '/sbin/ifup' has been replaced by a script: /sbin/ifup: Bourne-Again shell script text executable

    and how can i fix it?
     
Loading...

Share This Page